Adobe rushes out patch to fix Flash security flaws exploited by Hacking Team

Fixes for flaws exploited by government hacking products company Hacking Team

Adobe has issued yet another patch to fix a series of critical security flaws uncovered in its ubiquitous Flash Player software - in particular, a zero-day flaw exploited by the hacking software vendor Hacking Team, whose network was busted last weekend.

The attack on Hacking Team led to almost all of the company's data and information - including emails and browser histories, as well as source code - being leaked and posted online. This revealed some of the otherwise unknown security flaws in software that the organisation had exploited in the products that it sold to government agencies around the world.

Adobe's latest patch address buffer overflow vulnerabilities, memory management flaws, security bypass vulnerabilities and remote code execution flaws, among a total of 36 listed flaws. The company has attributed the findings to a number of people and organisations, including Google Project Zero, HP, Alibaba, Tencent, Fortinet and NCC.

"These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system," Adobe added. One flaw in particular, CVE-2015-5119, is already being exploited in the wild by cyber criminals.

It follows an earlier critical warning and rushed-out patch at the end of June, when security researchers warned that another, different security flaw was being exploited by cyber criminals.

And, just a week before that, Adobe was forced to release an emergency patch after it was revealed that APT3, a sophisticated hacking group based in China, had been exploiting the flaw.

Adobe's consumer products - both Adobe Flash and Adobe Acrobat Reader - have been beset by critical security flaws for a number of years. Both products are targeted by hackers in particular as they are used on all major platforms by pretty much everyone around the world.

Adobe claims that it is getting on top of the problem, and working to improve the sandboxing of both products in order to reduce the security risks they pose. However, questions have been raised over whether individuals and organisations would be safer to simply uninstall them entirely.